You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

After having uninstalled and reinstalled Microsoft Security Essentials, a scan found a virus/trojan and a message came up saying that Windows would automatically restart in one minute. The computer is now stuck in a loop of automatically restarting every time Windows opens. I've read the other topics on this and run the Farbar scan. I will put the log below. Any help would be greatly appreciated.

PS. I have no other computer at home, so there may be a day or two between me replying to any messages as I try to use either my friend's computer or my computer at work.

BC AdBot (Login to Remove)

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 21-07-2012 20:47:32
Running from G:\
Windows Vista  Home Premium (X86) OS Language: English(US)
The current controlset is ControlSet002

First, I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met.

Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.

Please perform all steps in the order they are listed in each set of instructions. Some steps may be a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.

When you post your reply, do not use the button but use the button instead.

In the upper right hand corner of the topic you will see the button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.

If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.

When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.

I would like to remind you to make no further changes to your computer unless I direct you to do so.

Now let's get started

===================================================

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.

Please allow me some time to review the information you have provided. I will post back as soon as possible.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

===================================================

Farbar's Recovery Scan Tool Search

--------------------

In Vista or Windows 7: Boot to System Recovery Options and run FRST.

Type the following in the edit box

Search: services.exe

Click Search button and post the log (Search.txt) it makes to your reply

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 20-07-2012 01
Ran by SYSTEM at 2012-07-26 20:01:15 Run:1
Running from G:\

==============================================

C:\Windows\Installer\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf} moved successfully.
C:\Users\Carl\AppData\Local\{6018c0b1-d69b-8b9c-e643-2a34a36af6cf} moved successfully.
C:\Windows\assembly\GAC\Desktop.ini moved successfully.

A small box will open, with an explaination about the tool. No input is needed, the scan is running.

Two Notepad documents will open - DDS.txt and Attach.txt. Please copy and paste the results in your reply

Close the program window, and delete the program from your desktop

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Thanks for the advice so far. The problem started up when MSE was scanning. Would it be advisable to remove MSE and download a new A/V? If so, should I do that now or wait until we've cleaned things up a bit more?

The choice of which antivirus software to use is a personal one. 2 other good (free) ones are Avast and Avira. However, remaining protected goes beyond just installing an antivirus program and I will be providing additional information to you when we have finished cleaning your computer. Let's wait on any potential change of programs until after we have determined your computer is clean.

We are off to a good start. Once I am able to review the DDS and Attach logs we will have a better idea where we stand now and what other steps we might need to take.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)

Double click on Combofix.exe and follow the prompts. It is important you do not mouseclick while the program is running or it may stall.

Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. Note #1: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If, based on the below, you have concluded ComboFix has stopped running please stop and advise me.

Check your computer clock. If it is still running then so is ComboFix

Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running

Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running

Note #2: If you receive the following error "Illegal operation attempted on a registery key that has been marked for deletion" please just restart your computer to resolve this issue

When finished, it will produce a log. Please include the C:\Combofix.txt log in your next reply.

===================================================

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment.